[4747] in WWW Security List Archive
Why do you think you can trust PC software? (was Re: Latest Java hole is Netscape/Sun only)
daemon@ATHENA.MIT.EDU (Jay Heiser)
Mon Mar 10 11:58:19 1997
Date: Mon, 10 Mar 1997 09:17:33 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Dennis Glatting wrote:
> > From: Thomas Reardon <thomasre@microsoft.com>
> > the sandbox anymore. Sandboxes are great for *untrusted
> > code*. And ActiveX is absolutely only good for *trusted* code
> With the code signature model there isn't a realistic method,
> short of third party analysis of the source code and its
> dependencies and world-wide legal liability, the signer
> (assuming a third party) or the recipient has to believe the
> code is trustworthy. From a security perspective, signing a
> code blob offers little value other then verification of
> transport. It is a "trust me" model, which the Snake Oil FAQ
> offers appropriate commentary.
I might be missing something here, but how do you trust ANY code?
Do you got to the store and buy commercial software in boxes and put
it on your computers? There isn't a piece of commercial software in
the world that meets the above criteria.
Realistically, the world would rather not write its own code, nor spend
great amounts of money testing commercial code that apparently works.
Right or wrong, that's the way people who buy software prefer to
operate.
If a code signature model can provide them as much or more level of
comfort as buying software retail, than I submit that it has a good
chance of being commercially viable.
Of course there is risk, but worthwhile activity lacks that?
Show me an example of PC software that you would consider
'trustworthy'.
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
